All: I'm using this Snort signature to distinguish between the original and recent varient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the binary around the text "CodeRedII" in the packet to cut down on false alarms.. putting it out so folks can log the differences. alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;) Best Regards, Joe Moll -- Joseph L. Moll, CISSP -- jmollat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 23:41:23 PDT